Vatsvagiri kubva kuWorcester Polytechnic Institute (USA) vakaunza mhando nyowani yeMayhem kurwisa iyo inoshandisa iyo Rowhammer dynamic random access memory bit distortion nzira yekushandura hunhu hwemastack akasiyana anoshandiswa semireza muchirongwa kuti asarudze kana huchokwadi uye cheki cheki. akapfuura. Mienzaniso inoshanda yekurwiswa inoratidzwa kunzvenga chokwadi muSUDO, OpenSSH uye MySQL, pamwe nekushandura mhedzisiro yecheki ine chekuita nekuchengetedza muraibhurari yeOpenSSL.
Kurwiswa kwacho kunogona kuiswa kune maapplication anoshandisa cheki kuenzanisa kukosha kwakasiyana ne zero. Muenzaniso wekodhi ine njodzi: int auth = 0; ... // kodhi yekodhi inoshandura kukosha kwechokwadi kana ikabudirira chokwadi kana (auth != 0) dzoka AUTH_SUCCESS; zvimwe dzoka AUTH_FAILURE;
Muchirevo chemuenzaniso uyu, pakurwisa kwakabudirira zvakakwana kushatisa chero chidimbu mundangariro chakabatana neiyo 32-bit auth variable pane stack. Kana chero chidimbu chiri mushanduko chikashatiswa, kukosha hakuchave zero uye ane conditional opareta anozoona kupedzwa kwakabudirira kwekusimbisa. Mapatani ekusimbisa akadaro akajairika mumashandisirwo uye anowanikwa, semuenzaniso, muSUDO, OpenSSH, MySQL uye OpenSSL.
Kurwiswa kunogona kushandiswawo pakuenzanisa kwechimiro che "kana (auth == 1)", asi munyaya iyi kushandiswa kwayo kunowedzera kuoma, sezvo zvakakosha kukanganisa kwete chero chidimbu che32, asi chekupedzisira. Iyo nzira inogona zvakare kushandiswa kupesvedzera kukosha kwezvakasiyana muma processor marejista, sezvo zviri mukati memarejista zvinogona kurovererwa kwenguva pfupi pastack kana shanduko yemamiriro ezvinhu, runhare rwebasa, kana chiratidzo chinobata moto. Munguva yenguva apo marejitari maitiro ari mundangariro, kukanganisa kunogona kuunzwa mundangariro iyi uye kukosha kwakashandurwa kunodzoserwa kurejista.
Kukanganisa mabheti, imwe yekugadziriswa kweRowHammer kirasi kurwisa inoshandiswa. Sezvo DRAM ndangariro iri maviri-dimensional array emaseru, rimwe nerimwe rine capacitor uye transistor, kuita kuenderera kuverenga kwenzvimbo imwechete yekurangarira kunoguma nekushanduka kwevoltage uye anomalies izvo zvinokonzeresa kurasikirwa kudiki kwechaji mumaseru akavakidzana. Kana kuverenga kwakanyanya kwakakwirira, ipapo sero yevavakidzani inogona kurasikirwa nemutengo wakakwana wakawanda uye kutenderera kunotevera kwekuzvarwa patsva hakuzove nenguva yekudzorera mamiriro ayo ekutanga, izvo zvinozoita shanduko mukukosha kwe data yakachengetwa muchitokisi. . Kuchengetedza kubva kuRowHammer, vanogadzira chip vakawedzera TRR (Target Row Refresh) nzira, iyo inovhara huwori hwesero mune dzakakosha nyaya, asi haidziviriri kubva kune ese anogona kurwiswa akasiyana.
Kuti udzivirire pakurwiswa kweMayhem, zvinokurudzirwa kushandisa mukuenzanisa kwete kuongororwa kwemisiyano kubva ku zero kana kusangana neimwe, asi cheki yemutambo uchishandisa kukosha kwembeu isina-zero octets. Muchiitiko ichi, kuisa kukosha kunoda kwekushanduka, zvakakosha kukanganisa zvakarurama nhamba inokosha yebhiti, iyo isinganzwisisiki, kusiyana nekukanganiswa kwechimwe chiduku. Muenzaniso wekodhi isingapindike: int auth = 0xbe406d1a; ... // kodhi kodhi inoisa kukosha kweiyo 0x23ab8701 kana ikabudirira chokwadi kana (auth == 0x23ab8701) dzoka AUTH_SUCCESS; zvimwe dzoka AUTH_FAILURE;
Iyo yakatsanangurwa nzira yekudzivirira yakatoshandiswa nevagadziri ve sudo uye yakaverengerwa mukuburitswa 1.9.15 segadziriso yeCVE-2023-42465 kusagadzikana. Vanoronga kuburitsa prototype yekodhi yekuita kurwiswa mushure mekugadzirisa kwaitwa kumapurojekiti makuru ari munjodzi.
Source: opennet.ru